Have We Reached Data Breach Fatigue?

With RSA Conference about to convene, it’s a good time to think about the year (OK, this time it is 14 months) that has passed since the last RSA Conference and wonder if we have made any real, discernible progress.

I would propose that the answer is a firm no and that the situation is exacerbated by growing data breach fatigue. For example, the U.K. alone was hit by 796 cyber attacks in 457 days.

It is a classic double whammy: The fact that we are not getting better means that there is more breach news, and the volume of breach news is creating fatigue that makes us numb to the growing problem.

In only a matter of weeks

The past several weeks have proven to be an interesting lab practical for my thesis. There was an announcement that over 5 million credit cards were stolen from the Hudson’s Bay Company, the company that operates Saks Fifth Avenue and Lord & Taylor.

Next came the announcement that Delta, Best Buy, and Sears were all part of a breach that compromised customer payment information. Panera Bread also announced a breach of the company’s website that some say placed the data of 37 million customers at risk.

The biggest splash was reserved for Facebook and the 87 million people affected by the Cambridge Analytica and Global Science Research imbroglio. Facebook’s Mark Zuckerberg will be hauled in front of indignant members of Congress to answer for this breach, and you can bet that several bills will be proposed by those looking for headlines. But this too shall likely pass.

The response of just these two weeks of activity has been underwhelming. There has been no great outcry against this violation of privacy or the inconvenience to the affected consumers.

We’re even desensitized when it comes to our finances

I believe the breaches of consumer credit card data are so frequent that they numb the general populace to the threat. We have all become adept at making the proper allowances when our credit cards are compromised and we get sent new ones. I have had to execute the drill of changing my credit card number on multiple sites several times in the past year. The first time is a shock, the second a nuisance, and the third is just one more ritual to be performed.

The companies affected seem equally desensitized, because history has shown they are not necessarily affected. They are certainly embarrassed when the news breaks, but these companies know, based on past transgressions, that they’ll suffer no permanent damage from these breaches, whether through company valuation or consumer activity. Dealing with several months of bad publicity seems to have become a cost of doing business, and companies know that as time passes, so will the reputational impact.

We may also be seeing a trend where businesses are attacked via third-party services that these businesses employ for certain activities such as credit card processing. The breach of Sears, Best Buy, and Delta, for example, was not a direct attack but an attack of a third-party firm shared by the three companies.

As businesses decide that securing credit card data is not a high priority and therefore offload the activity to third parties, it follows that the bad guys will soon recognize that breaching one of these services can get them access to the credit card data from multiple companies.

A growing rift between development and security

Another problem is the continuing disconnect between development and security. Development still views security as anathema to building code on schedule. That is because security has not yet fully woven security tools into the fabric of the development environment.

This is unfortunate, as there are tools that can help developers create secure software and actually improve developer productivity. Until the two sides get better at working together, the divide will persist, and web-facing applications will be vulnerable to attack.

All these issues feed the problem: More vulnerabilities create more attacks; more attacks breed additional fatigue. So how can we wake up and fix the problems creating such a widespread headache?

Will GDPR be an effective part of the solution?

The European Union is ramping up to enforce the General Data Protection Regulation (GDPR), which will take effect May 25, 2018. This data protection regulation applies to the processing of personal data of people in the EU by businesses that operate in the EU.

It’s worth mentioning that GDPR applies not only to firms based in the EU but to any organization providing a product or service to residents of the EU.

Only time will tell how effective this regulation will be when it comes to enforcing firms to secure data. I have a feeling we’ll have PCI déjà vu, in that regulation enforcement doesn’t necessarily equate to security. I’m curious how long it will take for attackers to outsmart GDPR and continue finding creative new ways to hack sensitive information.

At the same time, I hope I’m wrong. I hope that GDPR will evolve to outsmart attackers and that other governments around the globe will implement equally aggressive regulations to minimize threats.

What will we see at RSA?

I anticipate that RSA Conference visitors will still see a disproportionate emphasis on the perimeter even though statistics say that the majority of exploited vulnerabilities are found in software.

Building walls and hanging concertina wire is always an instinctive response to threats, so the budgets have not yet shifted from the perimeter to the real attack surface—the web-facing application.

What breach must occur to shake us all out of our fatigue? Will we see regulation in the near future that has a positive and productive effect? These are interesting premises to ponder as you walk the exhibit floors of RSA Conference.

Jim Ivers is VP of Marketing for the Software Integrity Group at Synopsys. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Cigital, Jim was the CMO at companies such as Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.